WASHINGTON – The government’s health insurance website is quietly sending consumers’ personal data to private companies that specialize in advertising and analyzing Internet data for performance and marketing, the Associated Press has learned.
The scope of what is disclosed or how it might be used was not immediately clear, but it can include age, income, ZIP code, whether a person smokes and if a person is pregnant. It can include a computer’s Internet address, which can identify a person’s name or address when combined with other information collected by sophisticated online marketing or advertising firms.
The Obama administration says HealthCare.gov’s connections to data firms were intended to help improve the consumer experience. Officials said outside firms are barred from using the data to further their own business interests.
There is no evidence that personal information has been misused. But connections to dozens of third-party tech firms were documented by technology experts who analyzed HealthCare.gov and then confirmed by the AP. A handful of the companies were also collecting highly specific information. That combination is raising concerns.
Leading lawmakers Tuesday asked the administration to explain how it oversees the data firms to make sure no personally identifiable information is improperly used or shared.
“This new information is extremely concerning, not only because it violates the privacy of millions of Americans, but because it may potentially compromise their security,” Sens. Orrin Hatch, R-Utah, and Charles Grassley, R-Iowa, wrote to the administration.
Created under the president’s health care law, HealthCare.gov is the online gateway to government-subsidized private insurance for people who lack coverage on the job. It serves consumers in 37 states, while the remaining states operate their own insurance markets.
A former White House chief information officer, Theresa Payton, said third-party vendors are a weak link on any website. She questioned both the number of vendors on HealthCare.gov and the specific details some of them are collecting.
“You don’t need all of that data to do customer service,” said Payton, who served under President George W. Bush. “We know hackers are just waiting at the door, salivating to get at this data.”
The privacy concerns come against the backdrop of President Barack Obama’s new initiative to protect personal data online. Separately, the administration is getting the health care website ready for the final enrollment drive of 2015, aiming to have more than 9 million people signed up by Feb. 15 for subsidized private coverage.
Administration spokesman Aaron Albright said outside vendors “are prohibited from using information from these tools on HealthCare.gov for their companies’ purposes.” The government uses them to measure the performance of HealthCare.gov, so consumers get “a simpler, more streamlined and intuitive experience,” he said.
The administration did not explain how it ensures companies were following the government’s privacy and security policies.
Albright said HealthCare.gov comports with standards set by the federal National Institute for Standards and Technology. But recent NIST guidance cautions that collecting bits of seemingly random data can be used to piece together someone’s identity.
In a recent visit to the site, the AP found certain personal details – including age, income and smoking habits – were being passed along, likely without consumers’ knowledge, to advertising and Web analytics sites.
Still, the outside connections surprised a tech expert who evaluated HealthCare.gov’s performance for the AP.
“Personally, I look at this … and I don’t know what is going on between the government and Facebook, and Google, and Twitter,” said Mehdi Daoudi, CEO of Catchpoint Systems. “Why is that there?”
Subscribe to the Morning Review newsletter
Get the day’s top headlines delivered to your inbox every morning by subscribing to our newsletter.